Scheduled Tasks (sec-cron)
Monitors cron jobs (Linux) and scheduled tasks (Windows) for changes, suspicious paths, and insecure permissions.
Configuration
| Parameter | Type | Default | Description |
|---|
enabled | bool | true | Enable/disable module |
check_systemd_timers | bool | true | Check systemd timers (Linux only) |
suspicious_paths | list | ["/tmp", "/var/tmp", "/dev/shm"] | Suspicious directories in tasks |
ignore_users | list | ["root"] | Ignore user crontabs |
YAML Example
sec_cron:
enabled: true
check_systemd_timers: true
suspicious_paths:
- "/tmp"
- "/var/tmp"
- "/dev/shm"
ignore_users:
- "root"
- "www-data"
Diagnostic Codes
Linux
| Code | Severity | Meaning | Recommendation |
|---|
| 7100 | 0 | No issues detected | — |
| 7101 | 1 | System crontab added/modified | Verify change |
| 7102 | 1 | User crontab modified | Verify change |
| 7103 | 1 | Systemd timer modified | Verify change |
| 7104 | 2 | Cron file is world-writable | Restrict permissions |
| 7105 | 2 | Suspicious path in cron job | Investigate task, possible persistence |
Windows
| Code | Severity | Meaning | Recommendation |
|---|
| 8100 | 0 | No issues detected | — |
| 8101 | 1 | New scheduled task detected | Verify task |
| 8102 | 1 | Scheduled task modified | Verify change |
| 8103 | 2 | Suspicious path in task | Investigate task |
| 8104 | 1 | Task running under unexpected identity | Review service account |
| 8105 | 1 | Task removed from baseline | Verify removal |
- Linux: Checks
/etc/cron.*, user crontabs, and systemd timers.
- Windows: Checks scheduled tasks via
schtasks and PowerShell.